lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 24 May 2011 18:58:19 +0200
From: Wouter Coekaerts <wouter@...kaerts.be>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: E-mail address spoofing with RLO

E-mail address spoofing with RLO - http://wouter.coekaerts.be/2011/email-rlo

Introduction
=============
When we reply to an e-mail, the address we see in the To-field serves
a purpose beyond getting our answer back to original sender. We attach
a meaning to these addresses. If we see john.smith@...mple.com, we
expect that we're really sending a mail to someone at the Example
company.
We may have learned not to trust the "From" address: that's about as
unreliable as the return address on the back of an envelope. But we
should be careful with what we think we see in To-field too.

Problem
=======
The problem comes from the unicode "right-to-left override" (RLO,
U+202E) character. It's an invisible character, that forces the text
after it to be treated as right-to-left. For example "abc[RLO]def" is
displayed as "abcfed". It's well known that these kind of characters
have security implications[1][2], it has led to other problems[3]
before, and this is a new one in that category:
It can be abused to display an E-mail address backwards, so that it
appear to be on a different domain than it actually is.

Details
=======
An RLO is usually not accepted in an address, but it is accepted in
the display name. The display name and the address are often shown
together, allowing the RLO in the display name to affect how the
address is shown. For example, "Firstname Lastname [RLO]
<moc.mitciv@...acker.com>" is displayed as "Firstname Lastname
<moc.rekcatta@...tim.com> ".

This can not be used to spoof arbitrary addresses because the
attacker's reversed real domain is still in it. But it can be used to
spoof any domain. And a well chosen domain name reversed can look like
a convincing foreign real name in the first part of the address.
This problem is worse than spoofing of the From-addresses, because an
attacker can have a whole conversation without an indication to the
victim that he's not who (from the domain) he pretends to be.

Affected software
=================
This affects most e-mail clients. These are the ones I tested, and
whose vendors have been made aware of this in 2009.
* Gmail: still vulnerable
* Hotmail: Fixed in February 2010 [4]
* Outlook 2007 (and later?): no fix announced, presumably still vulnerable
* Outlook Web Access: no fix announced, presumably still vulnerable
* Evolution: still vulnerable (Bug 601172 [5])
* KMail: Fixed since December 2009, KDE 4.2.x (never released), 4.3.5 and 4.4.0
* And more...

 1: http://unicode.org/reports/tr9/#Explicit_Directional_Overrides
 2: http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing
 3: http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
 4: http://technet.microsoft.com/en-us/security/cc308575.aspx#0210
 5: https://bugzilla.gnome.org/show_bug.cgi?id=601172

Powered by blists - more mailing lists